Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Several days ago I downloaded something from a free site (a way to copy audio from youtube to my computer) and ended up with endless popups. I uninstalled all programs that were installed on 2/4 and 2/5 one of which was sales1.1. The popups I have are all unisaless and I found 2 of these program files on my C drive but could not delete them. Computer is running slow, there are numerous popups plus underscored words throughout normal text that show unisales when I hover over them. I've run McAfee and Malwarebytes and supposedly some threats have been found and quarantined but the problems still persist.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.

Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.

Hi

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:

Do not edit your logs in any way whatsoever.

Perform all actions in the order given.

If you don't know, stop and ask! Don't keep going on.

Please reply to this thread. Do not start a new topic.

Stick with it till you're given the all clear.

Remember, absence of symptoms does not mean the infection is all gone.

Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.

Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.

If you can do these things, everything should go smoothly.

As you're using Windows 7, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

There are clear signs of infection on your computer, however before we start to clean your machine I'd like you to run a couple of additional scans for me, so that I've got a more complete picture of what we need to deal with.

When finished searching a log will open on your Desktop ... Search.txt

Please post it in your next reply.

Summary of the logs I need from you in your next post:

FRST.txt

Addition.txt

ADWCleaner log

Search.txt

Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.

I have backed up my files and registry. Ran Frst.64 and the logs are attached below. While scanning, my mcafee antivirus program flashed on warning there was a potentially dangerous file being blocked. I closed the message and let the scan continue to run. Will send the adwcleaner log and search.txt in a 2nd reply.

Some content of TEMP:====================C:\Users\paula\AppData\Local\Temp\3D4f52D50CB.exeC:\Users\paula\AppData\Local\Temp\57377.exeC:\Users\paula\AppData\Local\Temp\AB166CB1E83.exeC:\Users\paula\AppData\Local\Temp\cecabficcdg.exeC:\Users\paula\AppData\Local\Temp\SpOrder.dll

System errors:=============Error: (02/08/2015 11:44:30 AM) (Source: Service Control Manager) (EventID: 7011) (User: )Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.

Error: (02/05/2015 10:00:02 AM) (Source: Service Control Manager) (EventID: 7001) (User: )Description: The Computer Browser service depends on the Server service which failed to start because of the following error: %%1068

Error: (02/05/2015 10:00:02 AM) (Source: Service Control Manager) (EventID: 7001) (User: )Description: The Computer Browser service depends on the Server service which failed to start because of the following error: %%1068

Error: (02/05/2015 10:00:00 AM) (Source: Service Control Manager) (EventID: 7001) (User: )Description: The Computer Browser service depends on the Server service which failed to start because of the following error: %%1068

Error: (02/05/2015 10:00:00 AM) (Source: Service Control Manager) (EventID: 7001) (User: )Description: The Computer Browser service depends on the Server service which failed to start because of the following error: %%1068

[ue2fhs5a.default] - Line Found : user_pref("browser.search.defaultenginename", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.order.1", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.selectedEngine", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.order.1,S", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.defaultenginename,S", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.selectedEngine,S", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.defaulturl", "hxxp://websearch.thesearchpage.info/?pid=2457&r=2015/02/04&hid=5778463939216614492&lg=EN&cc=US&unqvl=74&l=1&q=");[ue2fhs5a.default] - Line Found : user_pref("browser.search.order.1,S", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.defaultenginename,S", "WebSearch");[ue2fhs5a.default] - Line Found : user_pref("browser.search.selectedEngine,S", "WebSearch");

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Java 7 Update 67Google Chrome

Old out of date versions of Java can be exploited. Unless you have a specific need for Java, I would not bother having it installed. Very few websites use Java these days (as opposed to Javascript, which almost all websites use, and which is not the same thing at all) and most people get on fine without it. Personally I have not had it installed on my computer for over 2 years now, and I can't remember the last time I couldn't see any web content because I didn't have it.

If you absolutely must use java, then always use the latest version. Java is often exploited.

Your current version of Google Chrome has been modified to the Dev Build so that the inbuilt security features of Chrome are not switched on ...

CHR dev: Chrome dev build detected! <======= ATTENTION

... if you have done this yourself, please let me know, if not, then you need to uninstall Chrome. You can install a new copy when your computer is clean.

When you uninstall it, you may be asked if you want to get rid of your saved settings, if so, you need to purge your settings. Do not save them or you will get re-infected.

Reboot your computer once the two programs are uninstalled.

Next ...

Double click AdwCleaner.exe to run it.

Click Scan and allow the scan to finish.

Now click Clean to remove the items found.

Click OK to the prompt.

The tool will run & your computer will be rebooted automatically. A logfile will open after the restart.

Post the contents of the logfile with your next reply.

You can also find the logfile at C:\AdwCleaner[s1].txt.

Next ...

Click Start

Type notepad.exe in the search programs and files box and click Enter.

A blank Notepad page should open.

Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).

Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

Press the Fix button once and wait.

FRST will process fixlist.txt

When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe

Please post me the log

Summary of the logs I need from you in your next post:

ADWCleaner log

Fixlog.txt

Let me know how your computer is behaving now please.

Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.

Gary, every time I try to uninstall Java, I get the window saying it is "preparing to remove" but it does not get uninstalled. Then I get a message saying update 67 is requesting permission to make changes to your computer. I haven't allowed this - should I? Not sure if this is the final step to uninstalling or something else is going on and didn't want to take the chance to approve it. Also Mcaffee message saying a potentially dangerous program is being blocked "multiplug-FVG".

Chrome is uninstalled, but please advise about the java uninstallation. Thanks.

The scans we've run so far have been specific to the infection we've been dealing with, and their scope is fairly subscribed, so I'd like to run a more general scan with a wider ranging scope. Infections like yours often come with "fellow travellers", so I'd like to make sure we've got everything.

Please run a scan with ESET Online Scanner the scan will take quite a time to complete, but it's very thorough.

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on:

When prompted allow the Add-On/Active X to install.

Make sure that the option Remove found threats is NOT checked.

Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications

Scan for potentially unsafe applications

Enable Anti-Stealth Technology

Now click on:

The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed click on Start to start the scan.

Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

When completed you will be presented with a list of found threats ....

Directions to disable Mcaffee Security directed me to areas that didn't exist when I opened the program. I turned off firewall and real time scanning. Does this qualify as disabling it? Want to be sure before I continue.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.